• April 14 2026

CyberArk PSM Session Management: Complete Guide (Workflow, Internal Users & Troubleshooting)

Learn CyberArk PSM Session Management in detail, including PVWA & PSM internal users, login workflow, session recording, and troubleshooting. Beginner to advanced guide.

🚀 Introduction to PSM in CyberArk

CyberArk Privileged Session Manager (PSM) is a critical component used to secure, monitor, and record privileged sessions.

👉 It ensures that users never directly access target systems and all activities are:

• Monitored

• Recorded

• Audited

🧱 1. PVWA Internal Users (Backend Authentication Flow)

CyberArk PVWA uses internal users to authenticate and authorize access.

🔑 PVWAApp User

• Used to load PVWA URL

• Password stored in:
  👉 appuser.ini (encrypted)

🔄 How it works:

1. User opens PVWA URL

2. PVWAApp connects to Vault

3. Loads portal interface

🔐 PVWAGW User (Gateway User)

• Used for user authentication & impersonation

• Verifies user identity in Vault

🔄 Login Flow (CyberArk Authentication)

1. User opens PVWA

2. Enters local Vault credentials

3. PVWAGW connects to Vault

4. Validates user

5. Access granted

🌐 Login Flow (LDAP Authentication)

1. User selects LDAP login

2. PVWAGW informs Vault (external user)

3. Vault uses Bind User

4. Connects to AD via Port 636 (LDAP Secure)

5. AD validates user

6. Access granted

⚙️ 2. PSM Internal Users (Core of Session Management)

🔹 PSMApp User

• Uploads session recordings to Vault

• Default Safe: PSMRecordings

🔹 PSMGW User

• Retrieves target account credentials from Vault

• Used during session initiation

🔹 PSMConnect User

• Local user on PSM server

• Used to establish session locally

🔹 PSMAdminConnect

• Used for live session monitoring (shadowing)

• Auditor role required

👉 Required group:
CyberArk_Auditors

🔹 PSMShadow User (VERY IMPORTANT)

• Created for non-Windows connections

• Example: Unix, DB, Network devices

🔄 How it works:

• Each user gets dedicated shadow user profile

• Created automatically during connection

⚠️ Real-Time Issue:

If user cannot connect:

👉 Possible cause: Corrupted shadow profile

✅ Fix:

• Go to: lusrmgr.msc (PSM Server)

• Delete shadow user

• Reconnect → new profile created

🔄 3. PSM Login Workflow (Backend Flow Explained)

🖥️ Example:

• Account: admin60

• Target: secappslearning.com

• Safe: Windows-Domain-Safe

🔐 Windows Session Workflow

1. PVWA redirects session to PSM

2. PVWAApp retrieves PSMConnect credentials

3. PSMConnect logs into PSM server

4. PSMGW retrieves target account password

5. Session established using admin60

6. User sees: “You’re being recorded”

7. After session ends → recording uploaded via PSMApp

🌐 Non-Windows (Unix/DB/Network)

Same flow with one change:

👉 Step 4:

• Session established using PSMShadow user

📁 Recording Storage

• Temporary:
  C:\Program Files (x86)\CyberArk\PSM

• Permanent:
  👉 Vault Safe: PSMRecordings

🌐 Ports Used by PSM

⚠️ Troubleshooting PSM Issues

🔴 Scenario 1: Error Before Recording Pop-up

👉 Issue is with PSM Server

Possible causes:

• PSM service down

• Configuration issue

• Network issue

🔴 Scenario 2: Error After Recording Pop-up

👉 99% cases → Target server issue

🔧 Connectivity Test

Run from PSM server:

TNC TargetServerIP -Port <PortNumber>

🧠 Key Takeaways

✔ PSM ensures secure session access
✔ No direct login to target systems
✔ Sessions are always recorded
✔ Shadow users handle non-Windows connections
✔ Most issues are either PSM config or target system

🎯 Final Thoughts

Understanding PSM Session Management is critical for:

• CyberArk Engineers

• Security Administrators

• Certification preparation (Defender/Sentry)

👉 Mastering PSM gives you strong control over session security, monitoring, and compliance.